Repeating same pin

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Start reaver specifying -i and -b
2. The pin usually gets 'stuck', repeating the same one

What is the expected output?
Continuously changing pin.

What do you see instead?
The same pin repeated.

What version of the product are you using? On what operating system?
1.1 on linux, kernel 2.6.38 using ath9k

Please provide any additional information below.
None at this time.

Original issue reported on code.google.com by ore...@gmail.com on 29 Dec 2011 at 10:21

[GoogleCodeExporter]

It seems it's just triggering the AP's timeout mechanism.

Original comment by ore...@gmail.com on 29 Dec 2011 at 11:21

[GoogleCodeExporter]

That is, after a few minutes, the pins begin to change again, then it gets 
'stuck' for a few minutes and keeps going.

Original comment by ore...@gmail.com on 29 Dec 2011 at 11:22

[GoogleCodeExporter]

I am experiencing the same problem
runnning SVN revision 16 on Backtrack5 R1 32bit inside vmware using RTL8187L 
base Afla card


/reaver -i wlan0 -b 00:1c:10:08:b7:a5 -vv -c 6

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching wlan0 to channel 6
[+] Waiting for beacon from 00:1C:10:08:B7:A5
[+] Switching wlan0 to channel 6
[+] Associated with 00:1C:10:08:B7:A5 (ESSID: linksys)
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] Trying pin 06691783
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] Trying pin 06691783
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] Trying pin 06691783
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[!] WARNING: 10 failed connections in a row
[+] Trying pin 06691783
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] Trying pin 06691783
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 06691783
[+] Trying pin 06691783
[!] WARNING: Receive timeout occurred
[+] Trying pin 06691783 

Original comment by jcdento...@gmail.com on 29 Dec 2011 at 11:22

Attachments:

• reaver_capture.pcap

[GoogleCodeExporter]

Seems my issue over there 
http://code.google.com/p/reaver-wps/issues/detail?id=10
is the same...

Original comment by S3M73X on 30 Dec 2011 at 1:35

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Exactly the same here.
SVN revision 16 on Ubuntu 10.04 32bit and Atheros ath5k

http://pastebin.com/i1A85U3A

Original comment by eb4...@gmail.com on 30 Dec 2011 at 2:12

[GoogleCodeExporter]

same. BT5 with alfa.

Original comment by tehca...@gmail.com on 30 Dec 2011 at 4:47

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Timeouts can occur legitimately (dropped packets, interference, etc), but 
should not be this severe provided you have a good signal from the target AP 
and that the AP supports WPS. 

These errors were also encountered and reproduced in the course of working on 
issue #6. The latest check-in seems to have fixed these timeout warnings for 
me; check out r20 and see if you still get the same issues.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 2:32

• Changed state: Started

[GoogleCodeExporter]

the signal is pretty good since I am 1 meter from my Linksys WRT54G2 v1 router 
on my table

I am running r22 now and the same problem
trying the same pin over and over again with timeouts 
this time I am using Atheros based card inside BT5 x64

on the other hand my BT5 32bit with r18 is working against AP somewhere in my 
building and so far I am @25%

could it be that my linksys is not vulnerable?

Original comment by jcdento...@gmail.com on 30 Dec 2011 at 3:13

[GoogleCodeExporter]

WRT54G2 should support WPS - make sure it's enabled.

I am having no issues in either BT5 RC1 32 or 64 bit. Could you try your 32bit 
box against the Linksys as well and see if you get the same problem? If you do, 
then I'd suspect it's an issue with the AP. If not, then maybe it's a 32 vs 64 
bit issue with the code.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 3:20

[GoogleCodeExporter]

I factory reset that AP, just enabled WPS and configured WPA password.
tested with r18 at BT5 R1 32bit as well and was seeing the same results.
signal is good and AP is responding with NACK as you can see in my attached 
pcap file.

but it could easily be that it is my AP's issue.

Thanks for such a great piece of SW :)

Original comment by jcdento...@gmail.com on 30 Dec 2011 at 3:36

[GoogleCodeExporter]

No attached pcap. :(

If the code is working against other APs, I'd suspect that it's an AP issue. 
Although adding support for the AP may require a code change.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 3:42

[GoogleCodeExporter]

I meant attached pcap in comment #3  in this thread

Original comment by jcdento...@gmail.com on 30 Dec 2011 at 4:03

[GoogleCodeExporter]

Ah, gotcha. It looks like reaver is functioning normally, but the AP is 
responding with a premature NACK message. 

The only thing I can think of is that a) It doesn't support WPS registrars or 
b) There is already an external registrar that has registered with the AP. 
Though I actually doubt either of those are the case. 

I will see if I can get a hold of one of these to test it myself.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 4:10

[GoogleCodeExporter]

Issue 10 has been merged into this issue.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 4:29

[GoogleCodeExporter]

I am getting the same thing on a Cisco DPC3825 DOCSIS 3.0 Gateway.   Just 
reconfigured WPS and connected my win7 laptop using WPS.

testing with BT5 R1

after about 2-5 mins keys started rolling again for about a minute and started 
locking up again.

Original comment by psycon...@gmail.com on 30 Dec 2011 at 5:21

[GoogleCodeExporter]

I have sniffed a successful PIN-Authentication with Windows7 as a Client 
(dbg_sucessfull_connection_win7.pcap) and the easybox 803 as the AP. I have 
attached the .pcap file so i hope it might help you to track down the source of 
the problem.

Diff it with the other pcap-file where reaver failed in svn-version r25 that 
might help. (dbg_alfa_arcadyan_reaver_r25.pcap)

In the first look there is e.g. the Connection Type Flags in the EAP "Response 
Expanded Type, WPS, M2" that has the IBSS flag set.

And then in the same packet the "Config Methods" differ whereas in the working 
one the flag for "Push Button" is set and in the packets generated by reaver 
its not. And so on...

Unfortunately i don't have the spec of the wifi-alliance so i can't tell whats 
necessary and whats not but i guess you have em? So i hope this could help in 
making the tool work with more routers.

Original comment by S3M73X on 30 Dec 2011 at 5:26

Attachments:

• dbg_sucessfull_connection_win7.pcap
• dbg_alfa_arcadyan_reaver_r25.pcap

[GoogleCodeExporter]

btw. in the former post filter in wireshark for "eapol" then look at packet #24 
from "dbg_alfa_arcadyan_reaver_r25.pcap " and compare it to the packet #29 in 
"dbg_sucessfull_connection_win7.pcap" ... i guess somewhere there could be the 
error

Original comment by S3M73X on 30 Dec 2011 at 5:29

[GoogleCodeExporter]

Thanks, pcaps are very helpful. :)  I'm going through and changing the options 
to mimic the win7 capture to see if that fixes things.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 5:58

[GoogleCodeExporter]

OK, just made a check in that changes some of what (I think) are the more 
critical flags in the M2 packet. See if that gets you any farther with these 
APs.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 6:20

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Same problem here with latest checkout:

I'm on 32bit and use ath5k

$ sudo ./reaver -i mon0 -b **:**:**:**:68:65 -vvv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from **:**:**:**:68:65
[+] Switching mon0 to channel 6
[+] Associated with **:**:**:**:68:65 (ESSID: *************)
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[!] WARNING: 10 failed connections in a row
[+] Trying pin 51408411
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[!] WARNING: 10 failed connections in a row
[+] Trying pin 51408411
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 51408411
[!] WARNING: Receive timeout occurred
[+] Trying pin 51408411
[+] Trying pin 51408411
[+] Trying pin 51408411
[!] WARNING: 10 failed connections in a row
[+] Trying pin 51408411
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 51408411

Original comment by nop...@gmail.com on 30 Dec 2011 at 6:42

[GoogleCodeExporter]

It is still the same Problem after trying with reaver r26.
And i cannot see either the Push-Button nor the IBSS flag in the M2-packet.
Pcap attached.

Original comment by S3M73X on 30 Dec 2011 at 7:11

Attachments:

• reaver_r26_dbg.pcap

[GoogleCodeExporter]

S3M73X,

It looks like you need to do a 'make cleanall' then './configure && make' to 
ensure you've re-built all the code in the sub-directories too.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 7:17

[GoogleCodeExporter]

tried r26. still having the same issue.

Original comment by psycon...@gmail.com on 30 Dec 2011 at 7:33

[GoogleCodeExporter]

I uploaded three screenshots where you can see the reaver-EAP-M2-packet on the 
left and the win7-connection-M2-packet on the right with some important(?) 
differences highlitet. Note that there are more differences.

The file on the left: "reaver_r26_dbg_diffs.pcap" is attached
The file on the right: "dbg_sucessfull_connection_win7.pcap" has allready been 
attached earlier in this issue-thread.

I am pretty sure that missing parameters/flags are not a good idea when you 
want a very wide coverage of access-points to be attackable with that tool?

In screenshot "3_association_state.png" the missing association-state is also 
something i guess could make the AP NACK-off the client?

Original comment by S3M73X on 30 Dec 2011 at 7:41

Attachments:

• 1_connection_flags.png
• 2_config_methods.png
• 3_association_state.png
• reaver_r26_dbg_diffs.pcap

[GoogleCodeExporter]

I tried r21 this morning and the problem disappeared (Ubuntu 10.04 32bit + 
ath5k). It's still running...

Original comment by eb4...@gmail.com on 30 Dec 2011 at 7:48

[GoogleCodeExporter]

When I run Reaver, my settings exactly match those from the win7 capture that 
you highlighted above:

IBSS is set
Label, display and push button config methods are set
Association state is connection success

There is one other change that I made in the M2 settings, which is the 
supported bands setting (set to 2.4ghz). I notice that your M2 messages do have 
this option, but not the three options above. Based on the files modified to 
make these changes, I suspect that you still need to do a full re-build of the 
code:

make cleanall
./configure
make

If you do that, you should see all of those values correctly set in the M2 
packet, and hopefully that will appease the AP.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 7:49

[GoogleCodeExporter]

Yep, a "make cleanall" works better then the "make clean" i used before.
Also did delete it and did a new check-out as well now the flags are set but 
result is the same:
-------------
root@fuckup:src $ ./reaver -i mon0 -b 7C:4F:B5:C8:64:09 -vv

Reaver v1.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 7C:4F:B5:C8:64:09
[+] Switching mon0 to channel 1
[+] Associated with 7C:4F:B5:C8:64:09 (ESSID: EasyBox-C86429)
[+] Trying pin 11902461
[+] Trying pin 11902461
[+] Trying pin 11902461
[+] Trying pin 11902461
[+] Trying pin 11902461
[+] Trying pin 11902461
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 11902461
[+] Trying pin 11902461
[+] Trying pin 11902461
[+] Trying pin 11902461
[!] WARNING: 10 failed connections in a row
---------------------
pcap-file attached below

Original comment by S3M73X on 30 Dec 2011 at 8:35

Attachments:

• reaver_r30_dbg.pcap

[GoogleCodeExporter]

OK, I added some additional fields so the Reaver M2 packet should look nearly 
identical to the win7 M2 packet now.

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 9:15

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I know its not the same topic, but i have a question:

i often get the warning: failed to associate with xx.xx...(BSSID) what does 
this mean?
Am i too far away from the AP or is there a correlation with used MAC-Adress 
filter maybe?  

Injection and all is working fine, got one cracked in 5 hours so i just wanted 
to say your open source programm is awesome, thx for sharing it.

Original comment by 1337_sp...@gmx.ch on 30 Dec 2011 at 10:16

[GoogleCodeExporter]

 WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] 5.77% complete @ 3 seconds/attempt
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[!] WARNING: 10 failed connections in a row
[+] 5.77% complete @ 3 seconds/attempt
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] 5.77% complete @ 3 seconds/attempt
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[!] WARNING: Receive timeout occurred
[+] Trying pin 12033942
[+] Trying pin 68253943
[+] 5.79% complete @ 3 seconds/attempt
[+] Trying pin 83123948
[+] Trying pin 53443946
[+] Trying pin 47133945
[+] Trying pin 54193949
[+] Trying pin 37683948




still having intermittent timeouts using r30.

Original comment by psycon...@gmail.com on 30 Dec 2011 at 10:39

Attachments:

• reaver.pcap

[GoogleCodeExporter]

@ 1337_speak:

Yes, if you are having intermittent failed association messages I'd suspect 
that either the signal strength of the AP is low (or your signal strength at 
the AP is low), or there is interference from other networks.

@psycon:

I haven't looked at the pcap, but timeout warnings are not uncommon. Usually 
what has happened is that a packet was dropped or corrupted and the AP is stuck 
in a wait state for a couple of minutes waiting for the next packet. During 
this time it will not accept new WPS attempts, so you end up getting a bunch of 
timeouts for a couple of minutes, then things start going again. If you are 
getting a lot of these, even with a strong signal from the AP and little 
wireless interference (especially if it is manifesting itself for only one 
particular device), please open a new support ticket. 

Original comment by cheff...@tacnetsol.com on 30 Dec 2011 at 11:05

[GoogleCodeExporter]

I'm still having lots of Receive timeouts from a nearby AP. Signal strength or 
interference is not a problem. Tested 3 different APs with RSSI better than 
-70dBm.
These are not intermitent timeouts as in r16, but constant since r21.

reaver-wps v1.2 r32 on Ubuntu 10.04 32bits + ath5k

/reaver -i mon0 -b 00:23:CD:xx:yy:zz -vv

Reaver v1.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 00:23:CD:xx:yy:zz
[+] Associated with 00:23:CD:xx:yy:zz (ESSID: HomeAP1)
[+] Trying pin 89439016
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[+] Trying pin 89439016
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred

Original comment by eb4...@gmail.com on 30 Dec 2011 at 11:54

[GoogleCodeExporter]

@eb4fbz:

You won't get very far with signal strengths of -70db.  I would fully expect 
that you would get receive timeouts with RSSIs that low. However, if you are 
getting those same results with stronger signals, this is not the place for 
them; please open a new ticket.

Original comment by cheff...@tacnetsol.com on 31 Dec 2011 at 12:50

[GoogleCodeExporter]

@cheff...
Tested with reaver r33.
Okay now it looks a littlebit better. It tries at least some pins before it is 
going into the time-out.

Last successfull attempt seems to be in packet #689 in the attached .pcap-dump.
After that point the AP is stopping the EAP-handshake after it received the 
EAP-response-identity-packet.

I also tried to log in on a Win7-client but then WPS-PIN-login was no longer 
possible, only WPA-PSK. So it might either be a protection mechanism or the 
wps-part in the router crashes.

THX for your fixes so far. I will recheck the webinterface of the device.
----------------------------
root@fuckup:src $ ./reaver -i mon0 -b 7C:4F:B5:C8:64:09 -vv -c 1

Reaver v1.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching mon0 to channel 1
[+] Waiting for beacon from 7C:4F:B5:C8:64:09
[+] Switching mon0 to channel 1
[+] Associated with 7C:4F:B5:C8:64:09 (ESSID: EasyBox-C86429)
[+] Trying pin 75948795
[+] Trying pin 58468791
[+] Trying pin 58658796
[+] Trying pin 34808795
[+] Trying pin 57768793
[+] Trying pin 80888796
[+] 0.05% complete @ 2 seconds/attempt
[+] Trying pin 08358790
[+] Trying pin 30838796
[+] Trying pin 08848796
[+] Trying pin 18108798
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[+] 0.09% complete @ 3 seconds/attempt
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] 0.09% complete @ 6 seconds/attempt
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[!] WARNING: 10 failed connections in a row
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] 0.09% complete @ 9 seconds/attempt
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] 0.09% complete @ 12 seconds/attempt
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[!] WARNING: 10 failed connections in a row
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] 0.09% complete @ 16 seconds/attempt
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] 0.09% complete @ 19 seconds/attempt
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[!] WARNING: 10 failed connections in a row
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] 0.09% complete @ 22 seconds/attempt
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
[!] WARNING: Receive timeout occurred
[+] Trying pin 66998792
^C
----------------------------

Original comment by S3M73X on 31 Dec 2011 at 1:11

Attachments:

• reaver_r33.pcap

[GoogleCodeExporter]

@cheff
yep, the AP is locking down WPS after too many failed attempts.
This is what i saw in the logfiles of the Arcadyan EasyBox 803:
-------------
06/30/2011  00:27:29 [WPS] Lock External Registrar authentication due to too 
many failed attempts
06/30/2011  00:27:29 [WPS] External Registrar authentication fail from 
00-C0-CA-52-AE-37
06/30/2011  00:27:27 802.1X supplicant 00-C0-CA-52-AE-37 logoff
06/30/2011  00:27:27 [WPS] External Registrar authentication fail from 
00-C0-CA-52-AE-37
-------------
This is actually pretty funny since on that particular device you can calculate 
the WPS-PIN from the BSSID so it is pwned anyways. ^^

THX for your support! I will be back when i have another WPS-PIN-enabled device 
to test.

Original comment by S3M73X on 31 Dec 2011 at 1:15

[GoogleCodeExporter]

Great, glad those changes got it working. Thanks a lot for all the debugging 
and pcaps, very helpful!

Original comment by cheff...@tacnetsol.com on 31 Dec 2011 at 1:18

• Changed state: Fixed

[GoogleCodeExporter]

FYI, I can confirm this behavior on a Netgear WNR1000v2 as well. It does not 
broadcast that it has locked WPS, but it responds with NACK messages after 
receiving the M2 packet from Reaver. After 4-5 minutes, the AP unlocks and the 
pins start incrementing again.

Original comment by cheff...@tacnetsol.com on 6 Jan 2012 at 8:11

[GoogleCodeExporter]

Hey S3M73X, how can I calculate the WPS-Pin from a Easybox using its BSSID? 
never heard of such a method...

Original comment by CaptnCAP...@gmail.com on 23 Feb 2012 at 1:34

[GoogleCodeExporter]

I was receiving the same issue. I set the delay to around 7 seconds: -d 7
And it worked well after that.

Original comment by mjhaven...@gmail.com on 23 Dec 2012 at 5:45

[GoogleCodeExporter]

It seems that APs' behaviors vary wildly when it comes to their WPS brute-force 
countermeasure implementation. Some have none, others are very strict. Reaver 
is robust enough to permit automated pattern matching, if one is identified.

Original comment by ore...@gmail.com on 23 Dec 2012 at 5:54

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Hello all I am fairly new to backtrack. Please help me with my problem!  I 
can't seem to find any advice about my specific issue anywhere on the web and 
would really appreciate some help.
I am using the Alfa awus036h with virtual box on windows 7.  

Checked to make sure it was connected and put it in monitor mode.
root@bt:~# airmon-ng


Interface   Chipset     Driver
mon0        Realtek RTL8187L    rtl8187 - [phy1]
wlan0       Realtek RTL8187L    rtl8187 - [phy1]

killed all interfering processes. 

root@bt:~# airmon-ng check
Process with PID 2255 (wash) is running on interface mon0
Process with PID 2426 (airodump-ng) is running on interface mon0
Process with PID 2434 (airodump-ng) is running on interface mon0





root@bt:~# reaver -i mon0 -b 38:6B:BB:D2:39:B5 -c 6 -s -l -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching mon0 to channel 6
[+] Waiting for beacon from 38:6B:BB:D2:39:B5
[+] Associated with 38:6B:BB:D2:39:B5 (ESSID: Fibertel WiFi661)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete @ 2013-11-15 22:56:53 (0 seconds/pin)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[!] WARNING: 10 failed connections in a row
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete @ 2013-11-15 22:59:43 (0 seconds/pin)


It keeps going through the same process and never changing the pin.  Please 
help in any way you can! Thanks!!

Original comment by tim.sant...@gmail.com on 16 Nov 2013 at 2:24

[GoogleCodeExporter]

how it is fixed? same issue here. no fix yet?

Original comment by radutmar...@gmail.com on 8 Jan 2015 at 4:26

[GoogleCodeExporter]

 Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete @ 2015-03-10 22:58:16 (0 seconds/pin)
[+] Max time remaining at this rate: (undetermined) (11000 pins left to try)
[+] Trying pin 12345670

Original comment by radutmar...@gmail.com on 10 Mar 2015 at 9:10